Closed
Bug 251020
Opened 20 years ago
Closed 20 years ago
Email security-group@mozilla.org whenever security bug is filed
Categories
(bugzilla.mozilla.org :: General, defect, P2)
bugzilla.mozilla.org
General
Tracking
()
RESOLVED
FIXED
People
(Reporter: gerv, Assigned: gerv)
References
()
Details
Attachments
(2 files, 2 obsolete files)
2.55 KB,
patch
|
Details | Diff | Splinter Review | |
1.85 KB,
patch
|
Details | Diff | Splinter Review |
We need custom code for b.m.o. to CC security-group@mozilla.org (on the initial email only) when a bug is filed in the security group. While we are there, we may as well do the same for security@bugzilla.org and the Webtools security group. Ideally, the security group would also get the email which is sent out whenever that bit is removed from a bug, so they can see anyone making security bugs public. Gerv
Assignee | ||
Comment 1•20 years ago
|
||
Shaver: any further comments? Gerv
Severity: normal → major
Status: NEW → ASSIGNED
Priority: -- → P2
Sounds good. I'd also like a FIXED notification for any bug that had the bit set in its lifetime, to aid in updating of the known-vuln list, but that's less critical, I think.
Assignee | ||
Comment 3•20 years ago
|
||
That's also a bit harder to do. You'll just have to file the "bit-set" notifications ;-) That's a point, actually. We want a "bit-set" notification, not a "new bug with the bit" notification, so the group gets an email when a bug is closed post-filing. So what we actually want is a "bit-toggled" notification. Gerv
Comment 4•20 years ago
|
||
From an email thread I was involved in before I saw this bug: It's pretty trivial to push an email onto the CC list for a bug for just that first email from post_bug.cgi. (push it onto the CC list after the bug is written to the database but before it sends the email) Unfortunately, the mail processing code will refuse to send mail to users that don't exist (it'll just silently discard them). And hacking an exception to that is not exactly straightforward and stands a good chance of breaking things. Of course, if you want to go that route, that's trivial to get around by creating a user with that email address. On the other hand, it exposes that email address to the general user population, because it'll show up in the "mail sent to" thing after the bug is filed. Another option: Anyone remember whinemail? We used to have mail sent to any bug in the NEW state that hadn't been touched in the last 7 days. Bugzilla still has the functionality, but it's long been disabled on mozilla.org. It would probably be fairly trivial to clone that and change the query to look up security bugs filed in the last 24 hours or something. There's nothing that says it can't run hourly, either, if you want to know about it that quickly. Could also mail a report on open security bugs that haven't been touched some set period of time, too. The point is setting up whinemail again and specializing it for this task is probably going to be much easier than hacking process_bug and post_bug to mail under specific circumstances. On the other hand, if we don't mind exposing those addresses (the existence of this bug in public seems to indicate we don't), then creating an account for them and manually pushing them on the recipient list when that bit is added or removed is probably the easiest thing to do.
Assignee | ||
Comment 5•20 years ago
|
||
I'd go for the last option (creating an account and pushing the address when the bit is toggled.) Both security-group@mozilla.org and security@bugzilla.org are public addresses. Gerv
Assignee | ||
Comment 6•20 years ago
|
||
This should do it. I've tested it on my local installation by creating a couple of groups of the same name, and checking the output of BugMail.pm's logging. The patch is against the tip, but that should probably be OK. It's also not too intrusive, which is good. Gerv
Assignee | ||
Comment 7•20 years ago
|
||
Dave: any chance of a review? (This product doesn't have the appropriate flags.) Gerv
Comment 8•20 years ago
|
||
Looks good to me except for the enableSendmail = 0 at the top. :) Also, this doesn't do anything with bugs that are initially filed as security bugs. Fortunately I already had that part written. This combines my patch with yours.
Attachment #153137 -
Attachment is obsolete: true
Assignee | ||
Comment 9•20 years ago
|
||
Looks good to me, although you should probably add a comment so it's totally obvious that this is a local customisation when people come to do merging. Ship it? :-) Gerv
Assignee | ||
Comment 10•20 years ago
|
||
Dave: ping? If this patch is good, can we apply it? The security-group rather want this feature. Gerv
Comment 11•20 years ago
|
||
Doh, I thought it had been applied, but I guess it hadn't. It has been now.
Status: ASSIGNED → RESOLVED
Closed: 20 years ago
Resolution: --- → FIXED
Comment on attachment 153138 [details] [diff] [review] Patch v2 >+push (@cc, "security-group@mozilla.org") if (grep {$_ == 2} @groupstoadd); >+push (@cc, "security@bugzilla.org") if (grep {$_ == 12} @groupstoadd); [Wed Sep 1 21:39:37 2004] post_bug.cgi: Possible unintended interpolation of @mozilla in string at /opt/webtools/bugzilla/post_bug.cgi line 468. [Wed Sep 1 21:39:37 2004] post_bug.cgi: Possible unintended interpolation of @bugzilla in string at /opt/webtools/bugzilla/post_bug.cgi line 469. [Wed Sep 1 21:39:37 2004] [error] [client 24.31.83.43] malformed header from script. Bad header=<pre>Global symbol "@mozi: /opt/webtools/bugzilla/post_bug.cgi [Wed Sep 1 21:39:37 2004] post_bug.cgi: Global symbol "@mozilla" requires explicit package name at /opt/webtools/bugzilla/post_bug.cgi line 468. [Wed Sep 1 21:39:37 2004] post_bug.cgi: Global symbol "@bugzilla" requires explicit package name at /opt/webtools/bugzilla/post_bug.cgi line 469. [Wed Sep 1 21:39:37 2004] post_bug.cgi: Execution of /opt/webtools/bugzilla/post_bug.cgi aborted due to compilation errors. I think you need either single quotes or a backslash before the @-sign.
Comment 13•20 years ago
|
||
>I think you need either single quotes or a backslash before the @-sign.
Indeed. Fixed.
Comment 14•20 years ago
|
||
Revised patch, takes into account the bugs in the previous one, as well as changing the address from security-group to security.
Updated•20 years ago
|
Attachment #153138 -
Attachment is obsolete: true
Updated•19 years ago
|
Attachment #158269 -
Attachment description: Patch v3 → Patch v3 (2.19.1)
Comment 15•19 years ago
|
||
Updated•13 years ago
|
Component: Bugzilla: Other b.m.o Issues → General
Product: mozilla.org → bugzilla.mozilla.org
You need to log in
before you can comment on or make changes to this bug.
Description
•